Nmap Development mailing list archives
Re: GSoC 2012 Project - Vulnerability and exploitation specialist
From: Djalal Harouni <tixxdz () opendz org>
Date: Mon, 26 Mar 2012 11:09:21 +0100
Hi Aleksandar, Thanks for the script. I've some comments: On Mon, Mar 26, 2012 at 02:26:45AM +0200, Aleksandar Nikolic wrote:
Hi, I've updated the script with your suggestions. Here's the sample output: 3389/tcp open ms-wbt-server | rdp-ms12-020: | VULNERABLE: | MS12-020 Remote Desktop Protocol Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0152,CVE-2012-0002 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Description: | Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system. | | Disclosure date: 2012-03-13 | References: | http://technet.microsoft.com/en-us/security/bulletin/ms12-020 |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152,CVE-2012-0002 I've fully commented all magic bytes, and added references to MSDN where available. Hope this clears things up a bit. Of course, if further details are needed, I would be more than happy to answer.
As you have explained in the previous mail, there are two vulnerabilities here: CVE-2012-0152 DoS (DoS marked from microsoft ?) CVE-2012-0002 RCE Then in this case you need two vulnerability entries (two tables): First one marked as a DoS and the next one marked EXPLOIT. If you confirm the first one then it's ok to add the the second vulnerability table since they are fixed by the same patch. Two entries since perhaps there is someone there with an exploit for the second one, and it is cleaner ... And if the script will panic Windows then you should add 'dos' category. (I did not follow this RDP stuff so sorry for my dumb questions) That said, if you have a test that will check/confirm the vulnerability without the DoS then it will be better to start with it, perhaps a version check or something else ? After the patch does something change from the first received bytes before the check ? Thanks.
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- tixxdz http://opendz.org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Toni Ruottu (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 24)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 25)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 26)
- Message not available
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 26)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 26)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 28)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 28)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Toni Ruottu (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 24)